German cyberwarriors assert right to ‘hack back’ when attacked

COLOGNE, Germany – German authorities believe they are on firm legal footing to retaliate against cyber attacks by unleashing digital or conventional counterattacks, according to a series of recent written responses by government officials to lawmakers.

The documents shed light on some of the legal considerations of cyber-warfare mulled in Berlin, just as the Bundeswehr moves toward full operational capability of a new command devoted to cyber operations.

Some of the assertions outlined in a missive last month are surprisingly hawkish for a country reflexively averse to the use of military force. While acknowledging certain gray areas in responding to potentially crippling cyber attacks, officials also made clear that defending the country would afford the security services broad leeway under international law.

“Just as in the land, air and naval domains, the Bundeswehr possesses 'active and reactive' capabilities that can be used for lawful operations,” Peter Tauber, the parliamentary deputy defense secretary, wrote to a collection of lawmakers from the opposition Green Party.

So-called hack backs, or the retaliatory targeting of an attacker’s information infrastructure, fall into that category, according to Tauber. As such, no new legal authorities for cyber defense would be required, he argued. At the same time, officials noted that such counterattacks would be permitted only as a counter-strike, not as an unprovoked act.

In a May response to lawmakers from the opposition FDP party, government officials went even further. In certain situations, cyberattacks could be judged as “armed attacks” as defined under the United Nations Charter, permitting self-defense with “all allowable military means,” officials said.

For acts of aggression below that threshold, Germany would still be entitled to initiate “countermeasures” depending on the severity of the incursion, including the deployment of forces, officials contended.

Critics here say hack-back operations are flawed because they occur in too nebulous of a battlefield. Sophisticated cyber foes are adept at concealing their identities, making it hard to know exactly where an attack originates. That could end up involving innocent parties in hack-back campaigns, who themselves strike back at whoever they believe is the aggressor.

Jakob Kullik, a research analyst at the Technical University of Chemnitz, said the German intelligence services have especially shown an interest in the topic of counterattacks in cyberspace. He cautioned against being too cavalier about their effects. “You have to be careful,” he argued, noting that critical civilian information infrastructure could easily get tangled up in an escalating cyberwar.

The German Defence Ministry created the Cyber and Information Space Command in the spring of 2017. Of the organization’s envisioned size of 15,000 staff members by 2022, there were 10,400 individuals assigned to it as of July, according to the ministry.

Germany Defence and Interior ministry officials are pushing for the creation of a new agency this year that will study disruptive technologies relevant to Germany’s defense and security.

By: Sebastian Sprenger

The move came as Germany’s armed forces found themselves increasingly targeted by online attacks. The government told lawmakers that officials had counted 2 million potentially harmful attempts to access Bundeswehr networks in 2017, of which 8,000 were classified as “highly” dangerous.

Asked by a lawmaker earlier this year about statistics on so-called advanced persistent threats — a crippling form of cyberattacks meant to steal or corrupt sensitive government information — the Defence Ministry clammed up, according to a written response dated June 15.

That information is considered so sensitive that releasing it even under the most stringent security rules and only to the smallest group of parliamentarians carries the risk of “enemy forces” getting wind of the information, possibly giving them a chance to plan future attacks accordingly, the Defence Ministry wrote.

Despite the German armed forces' newfound emphasis on all things cyber, shortcomings remain, according to Kullik. For one, authorities for cyber operations are spread across the federal government and states, which means the bureaucracy is sluggish, he argued. Government leaders also were “too dozy” in pushing the issue over the past years, which means the country is now playing catchup compared to others, he added.